Software

The truth about email spam


Spam is unsolicited bulk emailing, generally for commercial advertising purposes. It is the electronic equivalent of the junk mail you get from credit card companies like Capital One in your mailbox all the time. Email spam started to become a serious problem in the mid-1990s with the growth of the market for Internet-connected personal computers with integrated email capabilities.

Spam, or UBE, comprises somewhere in the range of 85% of the total email volume delivered over the Internet today. This is rightly regarded as a significant problem. A number of partial solutions to the problem exist, mostly involving heuristic and blacklist-based filters, which are nowhere near perfect. In addition to their inability to catch all spam, they also suffer from the problem of generating false positives: emails identified as spam, or email sources blocked as spam sources, that are in fact legitimate email or email sources. For most purposes, false positives are an even worse problem than little or no spam filtering at all. Without a reasonable guarantee that legitimate emails will get through, email is useless, no matter how clean of spam it may be.

Dire portents:

Some have taken this to mean that email is a dead medium. In his recent article in the Programming and Development weblog here at TechRepublic, Justin James laid out his case for the obsolescence of email in a series of bullet-points. Let's examine these arguments:

  • SMTP does not enforce any assurances that the server sending e-mail is authorized to act on behalf of the domain that the sender is from. There are add-ons for this like SenderID and the use of SPF tags in DNS, but they are hardly universal.

The fact that SMTP doesn't provide that authentication process is hardly a deal-breaker, though it is arguably a weakness in the protocol specification. As Justin points out, there are implementations of solutions to this problem, however -- and the fact none of them are universal may simply be a matter of the lack of maturity of the technique. Providing such server authentication should become a priority for webserver administrators everywhere in the future.

Claiming that the lack of universal deployment of such solutions is reason to regard email as a dead medium is equivalent to claiming that the lack of universal implementation of either Blu-Ray or HD-DVD as a high definition optical video storage format means we should never adopt high definition optical video storage media at all.

  • There is no requirement that encryption of the SMTP connection must always be available. Result: E-mail is open to snooping, which increases the cost and hassle of using add-on e-mail encryption products.

The implication here is that a specific encryption methodology should be built into the protocol. Protocols, however, should not mandate specific encryption methods. This would result in built-in protocol obsolescence, and the point of a protocol is to provide a standardized, reliable means of interoperability between nodes in a complex system. As security methods are obsolesced, anything inextricably tied to them will also become obsolete. Keeping encryption methods separate from the protocols that are protected by them so that they can be swapped out in modular fashion as needed is a key to the continued relevance of a given protocol's security model.

  • SMTP pushes the full message across to the destination -- as opposed to a system like RSS (or most NNTP readers) where it only pushes a notice or message header across -- to be picked up at a later time. Result: Wasted bandwidth.

The reason for this is that email is intended as a message-sending medium, and not a publishing medium. With a system like RSS, there are at least two separate single points of failure -- components of the system that can each, on their own, result in a failure of service. Either a failure to deliver the notification or a failure to provide it reliably when the would-be recipient tries to retrieve it results in a service failure, whereas with email the only opportunity for service failure is in initial delivery.

The bandwidth savings for widespread electronic publishing of data is sufficiently beneficial to justify it in contexts for which it is designed. The initial notification, however, is functionally equivalent to an email in itself. This means that breaking email up in two stages like RSS is equivalent to continuing to use email as it is, but requiring an additional step on the part of the recipient that is potentially at least as prone to failure as the first step. For personal communications, this trade-off between bandwidth and reliability is not a good one.

  • SMTP doesn't have any way of controlling or even monitoring the progress of the mail sent. Result: E-mail is not nearly as useful for business purposes as it should be.

Frankly, I'm not sure what Justin expects here.

  • SMTP does not offer any authentication, verification, or proof of identity.

This is, in effect, another perspective on the first bullet-point. It should not have been presented separately.

The source of the problem:

Ultimately, the problem of email spam is directly related to the reasons it is so cost effective as a means of advertisement. Spam email would not be nearly as beneficial to spammers if they had to send their own email -- the reason it is cost effective is that spammers aren't really doing the spamming.

Instead, massive spam botnets are doing all the hard work. Trojans and other infections are spread to millions of personal computers that are then tied together in a loose, distributed spambot network which can be used to send emails in bulk, in numbers that boggle the mind. The ease of infecting the systems used in these botnets is the real problem.

Authentication of the sender would reduce the ability of spammers to pretend to be a sender other than the infected system. Encryption would have no effect on spam at all. If anything, a savings in bandwidth would make spam easier and more common.

Eliminating the means by which spammers defer their costs to millions of unsuspecting home users of personal computers, however, would have a significant effect on the volume of spam.

The solution:

Replacing SMTP as a communication protocol will not eliminate spam. Even if spam over internet telephony is not likely to be a particular danger for a few years yet, that doesn't mean that a widespread replacement for email will be immune to the sort of spam problems that are such a major issue for SMTP.

Changing communication media will, if anything, probably only increase the ability of spammers to leverage those media for bulk commercial solicitation. This is because:

  1. For such a new communication protocol to catch on, it must at worst be no less convenient and economical than SMTP. That convenience and economy is part of what makes mass quantities of spam of the sort we see weighing down the Internet possible.
  2. A new protocol to replace SMTP would not solve the problem of deferment of resource consumption by spam from the spammers to the common home computer user, because it does not address the vulnerabilities that allow those computers to be recruited into spam botnets.

As such, the solution to spam is not replacing SMTP -- it is dealing with the epidemic of near-zero attention to security on home PCs.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

110 comments
ToddMarshall
ToddMarshall

A very simple protocol change makes the SPAM problem go away. It's this: 1. When a message is "sent", the body of the message stays on the sender's server. 2. When a message is "sent", a "tiny" notice goes to the recipient's server. 3. A recipient is "notified" that the sender has sent a message. The recipient uses this "notice" to retrieve the "message" from the sender's server. 4. If the recipient does not want to see the sender's message he simply deletes the notice. Why it works: 1. The sender is not anonymous. He must be "known" for you to go for your message from him. 2. The storage burden (e.g. for large messages) is for the sender's account ... not the recipients. There is always only one copy of the message rather than a separate copy for each recipient. And if you like the current protocol better? Just tell your server to accept messages immediately for all notices it receives. And if you like to use white lists and black lists? Just tell you server to only accept messages with notices from your white list or to discard notices and don't retrieve messages from senders on your black list.

skyeye
skyeye

The most effective way to control spammers is make the death penalty (preferably by stoning or some such barbaric means) mandatory for anyone who participates in any way to the distribution of spam. After all we kill mosquitos and other parasites.

teeeceee
teeeceee

As a test of the assumption (and probably a correct one) send a chain mailing (more spam) to advertise a world wide home computer outage (everyone turn off and unplug their home computers)at some near future and trackable date, so that the level of spam could be monitored and compared to the norm.

richard.n.carpenter
richard.n.carpenter

Like the loads of junk snail mail I get and subsidize through my first class postage - It does't hurt! I clean out my snail mailbox, shredding the free checks and dump it all in some ground water poluting landfill. My junk email on the other hand goes into a nice sanitary bit bucket. It doesn't hurt!

scharppslicer
scharppslicer

Pop Ups despite blockers. Even tho I have PU blockers, they're still hitting my screen like bugs on a windsheild in Nebraska. Some of the ads have 800 toll free numbers, which makes me almost want to call several times to rack up a phone bill. If I could specifically block a vendor. But I'll keep snooping. Swordifwords

rocyahsoul
rocyahsoul

The truth is, a solution already exists. It's called challenge response email filtering. It issues a challenge to every email that has not yet been verified as a person sender. If the person sender fills in the captcha code they're added to the email clients "white list". That you cover all the bogus solutions without hinting toward the ACTUAL solution highlights you as propagandist scum, tied to either the spam industry or more likely the communication squashing powers that dominate the planet beyond even cyberspace.

mcook
mcook

I think you minimize one aspect: botnets are being set up by multinational criminal syndicates. Spam is being done by criminals hijacking other people's computers. Don't just say that spammers don't send the spam. Of course they send it -- to their bots. People who buy from spammers are giving their credit card numbers to criminals. Who is getting that message out? Spam would stop if ISPs stopped allowing their home users (or actually, the bots on those computers) to directly send SMTP. Spam would stop if ISPs stopped accepting smtp connections from other computers that have been delivering spam. Botnets would stop being created if people and businesses would keep their computers safe. That's true. But it would only slow spam down a bit. When we talk about spam, we need solutions that refuse to accept connections from spammers. Home users shouldn't be sending smtp mail directly, but should be going through their own ISP; so blocking smtp connections from home users is not a stretch. A machine that has sent one spam (hundreds or thousands of messages) is likely to send more, so stop accepting messages from it, preferably before it gets to the 20th message. If it stops trying to send, unblock it for a while, or until the next spam pass. Laws might help if they are written by someone other than the Direct Marketing Association. The standard for commercial email must be confirmed opt-in -- not opt-out, not no-mail lists, but simple ways to confirm that the owner of a mailbox wants to receive the messages. Direct Marketers should be realizing that spam is a cancer that needs radical treatment, otherwise their feeble, legal attempts to communicate are lost in the torrent of spam. Radical means they need to give up the right to send email to anyone they want whenever they want, and enforce strict standards among their own colleagues. And they need to help with the fight against criminal syndicates.

PhilippeV
PhilippeV

This is the major issue of the problem, it just demonstrate that source-based filtering will not work as intended. Today most spam is sent via compromized PC. Even if you add authorization, or source authentication, it will not prevent an authorized PC or user to be compromized by infection. The real fight against spam has to go into protecting users from being infected. The fight is: * in the hands of OS and software writers to close security issues, to provide better automation of security updates, to give faster responses to newly discovered exploits, and to provide the necessary cleaning tools that should also run without much complication for users. * in the hands of ISPs, to block the spread of malwares: this requires some automated monitoring of network connections to detect and block the spread of malwares before they reach too many unprotected new targets. But it also requires a faster and more effective collaboration of ISPs in case of new malicious spreads. If infection of many PCs using newly discovered exploits could be seriously paced down, the cost for sending spam would become much more prohibitive, as the true spammers would need to actively scan many more targets: we could detect these scans as easily as we can see the current spread of spams that those many compromized PCs are relaying. Things to monitor more actively: unsecured protocols are not only SMTP, but also IRC channels or telnet connections, when they are used massively by bots to control the infected PCs. Also, it's important to fight faster to close the points of controls, so that even the compromized PCs do not receive more instructions (so they'll stop sending the contents that spammers want them to relay). I see no expected success even if SMTP is secured, or uses encrypted connections, or any other authorization systems, because compromized PCs will also have a direct access to the needed information for sending their spew, even through the secured connection. Things that could help would be that OS secure the settings of their firewall, so that outgoing SMTP connection cannot go to another remote host than the ISP's supported email servers. This requires a collaboration between firewall designers, and some secured domain-controled settings for the source domain. If there was such protocol, users would be confident that, if their PC gets compromized, their ISP would allert them and help them solve the issue, as the SMTP server of the ISP would more easily trace the sources of infections, and could implement more efficient filters: at the source of spam, where it causes the least damages. Fighting spam at the reception site, using filters, has too many side effects, and cannot fundamentally be better than what we have today, that is already causing lots of problems when legitimate emails (including single private mail sent to single person) gets blocked by some blacklists. Reputation-based systems will always fail, as well as authentication systems and blacklists. Because spammers can still find many ways to escape this control, and also because there's no standard for the blacklists and filters (so they work with distinct policies, or are not used, and spammers can easily exploit those differences). Finally, there should be a way, for email users, to get a unique token that they can use to send emails, until it is found that the token is compromized. This should work with a non-repudiation system, but ISPs will help users by providing them the tools to clean their installation and request (using a secured online form, or via the support service if this tool is used too often) a new fresh signature. Users that feeel that their signature was compromized somewhere could just use this tool to indicate to their ISP that they no longer want to use the past one, and that they want a new one for signing their legitimate emails. Such tool, if automated by a online form on the support area of the ISP, should not be usable without the user actively authorizing its use; by default, it should be off, until the user joins the ISP to request opening it. Then the user is allowed to use it at most once every day (if needed they'll have to join the ISP support service by phone if this tool does not work for them). Any user could have the opportunity to close the prior authorization token. This system would be much more practical for users than having to change their email address. The purpose would be to validate the effective sender of an email, by his own control, but not to authorize a remote sender. We know that this does not work. However, the presence of the sender token (whose creator, its ISP, cannot be repudiated) could be mandatory for reaching an input box. Also, a better system must be created to report abuses: the current one is not reliable, and requires too much resources and lots of verifications based on too many assumptions: this reporting system (postmaster@...) is fundamentally broken, but this is the only one currently standardized. As reporting spam does not work as intended, or is too complicate to perform, spammers continue with great success as they are not reported correctly.

richard.wilson
richard.wilson

They just wanna sell more stamps! LOL! (Just kidding) (^_^)

stargateok
stargateok

I think that if they would just have a white list and everything that wasn't on it goes to "junk" and gets thrown out at an interval the you wish. You could look through the "junk" and decide whether to put it on the white list or not. Spam does not need to be a problem. If people want to keep sending stuff that will just be deleted the fine. Just my opinion.

apotheon
apotheon

1. Recipients would still get unwanted crap from spammers -- in this case, your "notice". 2. Spam is generally sent, technically speaking, by someone other than the spammer -- from infected systems. Thus, the original spammer is still insulated against identification, because the infected system would serve the same purpose with your system as with the current system. In other words, the spammer himself is still "anonymous". 3. As things currently stand, even the infected systems are not "anonymous", either -- because email headers include information about the email's source. 4. The storage burden is currently on systems that belong to innocent people. With your system, the storage burden would [b]still[/b] be on systems that belong to innocent people. You're just changing which innocent people would be burdened.

Tony Hopkinson
Tony Hopkinson

Wouldn't work for a company that mkes extensive use of bulk mailing, would you by any chance ????

jdclyde
jdclyde

Go talk to your techs and find out how much SPAM you really get. 89% of all emails coming into my company are caught by my firewall as SPAM. Then out of the 11% that gets through, another 3% of that is caught by the SPAM filler on the email server. That is bandwidth we are paying for that we can't use for ANYTHING because it is a wasted company expense because of SPAM.] How much did your company spend for SPAM filtering software and hardware? A lot. What happens when you get a valid email swallowed up by the SPAM filter? Business is slowed down while the end users waits for the email. It is a few hours before they call the techs who have to manually go into the quarantine and release the SPAM. There is a lot of time and money WASTED because of SPAM and it is getting worse, not better. It is to the point many people are going away from email as a valid business tool. Wake up and smell the coffee.

Brian
Brian

The big difference is that the mail is paid for by the sender. Email is paid for by the recipient. As an IT executive, I'm surprised you don't understand the underlying cost of spam. What about the cost of the systems that must be put in place to fight it? The cost of time wasted of you people becuase they have to take the time to go through the junk? Increased cost of service because ISPs have to allow extra bandwidth because 90% of email is spam? At least you can tell the post office not to put junk mail in your mailbox (in Canada, anyway). Spammers don't give you that choice.

Brian
Brian

All C/R does is relay the problem off your system to somebody else's. A majority of spam message have forged headers. Therefore when your system issues a challenge to a spam message, all it does is become an unwitting relay, sending the spam-infested message on to an innocent third party asking for a response. Worse yet, being a source of spam like that could get your mail server blacklisted.

rocyahsoul
rocyahsoul

You said "Spam would stop if ISPs stopped allowing their home users (or actually, the bots on those computers) to directly send SMTP. Spam would stop if ISPs stopped accepting smtp connections from other computers that have been delivering spam." On this notion I say ISPs are owned by the monetary dominant, or at least take orders from the monetary dominant. Their primary interest is squashing the political speech that would establish direct democracy and calorie economics thereby eliminating finance economics for all time. You said "When we talk about spam, we need solutions that refuse to accept connections from spammers. Home users shouldn't be sending smtp mail directly, but should be going through their own ISP; so blocking smtp connections from home users is not a stretch." Isn't it funny that the whole of the internet, the operation of most ISPs, the architecture of email technology, the knowledge level of end users, microsofts open window of a securityless operating system, all of it facilitates spam, wastes time and limits political speech...

igorkrav
igorkrav

I may add some points. It's hard to catch a spammer but really easy to find who ordered the spam. We have a links to "Dont be shame because of of your instrument length" web site in every email. Sure it should be the law but I think provider should disconnect such a web sites.

Absolutely
Absolutely

[i]Spam would stop if ISPs stopped allowing their home users (or actually, the bots on those computers) to directly send SMTP. Spam would stop if ISPs stopped accepting smtp connections from other computers that have been delivering spam.[/i] That punishes responsible owners of secured e-mail servers for the actions of spammers, and inactions of users of un-secured computers that become botnets. I wouldn't like that. [i]Botnets would stop being created if people and businesses would keep their computers safe. That's true. But it would only slow spam down a bit. When we talk about spam, we need solutions that refuse to accept connections from spammers. Home users shouldn't be sending smtp mail directly, but should be going through their own ISP; so blocking smtp connections from home users is not a stretch.[/i] I think combining whitelists with reliable means of verifying the identity of the sender is the most elegant, and therefore most likely to be successful, of the various methods I've seen outlined. [i]Laws might help if they are written by someone other than the Direct Marketing Association. The standard for commercial email must be confirmed opt-in -- not opt-out, not no-mail lists, but simple ways to confirm that the owner of a mailbox wants to receive the messages. Direct Marketers should be realizing that spam is a cancer that needs radical treatment, otherwise their feeble, legal attempts to communicate are lost in the torrent of spam. Radical means they need to give up the right to send email to anyone they want whenever they want, and enforce strict standards among their own colleagues. And they need to help with the fight against criminal syndicates.[/i] Huh, I'm definitely sympathetic to that! Unfortunately, my Fairy Godmother hasn't replied to my e-mail request to wave her magic wand and do that. I think she's inundated by SPAM. One last thing, about [i]Radical means they need to give up the right to send email to anyone they want whenever they want, and enforce strict standards among their own colleagues.[/i] Freedom of speech includes no right to expect an audience. This is not a matter of Direct Marketers [b]giving up[/b] a right. This is a matter of reclaiming the rights of recipients to control what messages enter our homes. Maybe that's already what you meant, but the phrasing suggested to me that Direct Marketing has a right to SPAM, which would mean that attempts to block SPAM infringe on the senders' rights. Well, you mentioned bots, so I'm [b]sure[/b] you didn't mean that. Sorry if this looks like nit-picky legalese, but I believe this general distinction between the right to speech, and the fallacy of a right to be heard, needs to be established in court. Know any good lawyers?

tony.hoad
tony.hoad

I teach groups of seniors basic computing and didn't care much for the patronising "grandma and grandpa winusers" sneer. Making it more difficult for novice users is not the answer. In normal internet use the average download to upload ratio is between 10 to 1 and 5 to 1. A compromised computer, part of a botnet, will usually reverse these ratios and uploads exceed downloads. If more ISPs charged for total traffic instead of only downloads and sent an automated warning to customers when there was unusual upload traffic, together with info or a link to deal with the infection, folk would take action because they are paying for the spammers to use their computer. Nothing like a hip pocket hit to motivate. I also like he idea of restricting root privileges - I can think of no reason why an average home user need them on a day to day basis. BTW it only takes about 10 secs to turn off Vista's infuriating nags about everything.

Absolutely
Absolutely

That's a whole lot of "more of the same." [i]The real fight against spam has to go into protecting users from being infected. The fight is: * in the hands of OS and software writers to close security issues, to provide better automation of security updates, to give faster responses to newly discovered exploits, and to provide the necessary cleaning tools that should also run without much complication for users. * in the hands of ISPs, to block the spread of malwares: this requires some automated monitoring of network connections to detect and block the spread of malwares before they reach too many unprotected new targets. But it also requires a faster and more effective collaboration of ISPs in case of new malicious spreads.[/i] I think all those strategies that you want to keep doing the same, but bigger and faster, have already had much more than enough money thrown at them.

don.gulledge
don.gulledge

I've always thought that if someone created a central site that spam email could be sent, it would spam the spammers and before long, they'd quite because they wouldn't want to be spammed to death. I think all the ideas about spamming and security are right, but will it ever come to pass. In the mean time, I'd like to have an inbox where I could sift thru and get the ones I want and have the rest automatically rejected. And, automatically rejected if they come again under the same address. Then, the choice is mine, not some program. They can still use filtering to eliminate the more obvious and well know stuff. But, I haven't been able to exchange email with my daughter since our ISP put in a new system for blocking email. We're forced to use the phone. Why can't they loosen up on the blockers and implement white list. Do both and maybe some day someone will figure out how to eliminate spam, although I know that charging per usage isn't the way because they'd just figure out a way to pass that on too or you'd end up having to pay for it. Don't trust a system that has to charge to fix a flaw in the system. Get serious, how can you regulate a Russian or Philipino spammer. If they could just eliminate the viagra spam, that would eliminate half.

rgetsla
rgetsla

A major part of the problem here is the sheer volume of useless traffic in the form of spam occupying network bandwidth. Tossing away spam when it arrives does not solve the choking effect it has on the Internet backbone. A much better place to stop spam is at the source. I think the folks who advocate using *nix as a solution are onto something. Microsoft has, for far too long, given basic users root privileges and allowed them to use their machines that way 24/7. WHY? What if Microsoft did what most *nix systems do; force everyone to use a normal user account most of the time, and require them to become promote to "super users" or to gain "root" privileges only when system level changes need to be made? If Windows had some sort of timer function that forced a "super user" to revert back into being a normal user after a short time, or after performing an administrative task, and required an administrative password (different from the normal user password) every time an administrative level task needed to be done, most spam would be stopped immediately because turning a machine into "zombies" and building "botnets" with them would be much more difficult. A second solution is to physically disconnect a computer from the network when the computer is not actively in use, even though it may still be powered up There is a product called a "databreaker" which senses the AC current consumed by a computer monitor and when the AC supply current drops (indicating a "screen saver" or a "power saver" has kicked in) automatically disconnects the machine from a LAN. An active switch like this could prevent a home desktop from acting like a "zombie" and spewing spam because most of the time, that desktop would not be connected to the outside world. For more information regarding this automatic data switch, here is a link to it: http://databreaker.com/ I realize these solutions are not for everyone. But I think it is possible to keep most machines from becoming "zombies" in the first place, by changing their OS run level. I also think automatically disconnecting a home computer from the outside world whenever it is not actively in use might also slow the flow of spam through the backbones.

Brian
Brian

The idea of "just delete it" is part of the problem. The issue is that spam shouldn't be able to be sent in the first place. If I have to delete it, or search through it for legitimate messages, then it isn't an effective solution. There are two ways of improving the situation. First is that ISP should block port 25 (SMTP) outbound from their customers, except to their own SMTP server unless specifically required. I'd bet 99% don't need SMTP. Second is for people to stop buying the stuff advertised through spam. They wouldn't do it if there wasn't a market for it.

JCitizen
JCitizen

let users block certain words from subject lines and sender names. That alone would clear almost all junk I have left on Outlook 2003. In fact it would be magnanimous if Outlook would send that cr@p to the deleted file , but somehow the messages hide the obvious from the rules set.

Absolutely
Absolutely

[i]What happens when you get a valid email swallowed up by the SPAM filter? Business is slowed down while the end users waits for the email. It is a few hours before they call the techs who have to manually go into the quarantine and release the SPAM.[/i] Software exists that would let your end users login to a webmail thingie to retrieve mail marked as spam, if I correctly understand Debian/Synaptic's description of squirrel mail and a few related packages. I'm sure it would be non-trivial, and likely not tempting to your local MBA in near-term TCO terms, but for anybody looking to setup a mail system from scratch, I think they should not use whatever system was dumped on you. No matter how rare false positives are, they should not have been assumed zero, which is effectively what your "solution provider" did to you.

wszwarc
wszwarc

I agree that SPAM is relatively cost-free from the "send" side but at $0.41 a shot, I still get plenty of spam in my postal mailbox, everyday. From that, I postulate that cost is not the biggest issue of the spammer. A factor, but not the biggest issue. I believe that ease of use is the biggest issue. So, how do we make SPAM more difficult to send? Force all users to adequately protect their systems. If they are sending SPAM, even unknowingly, have their internet connection cut and fine them an exorbitant amount. Hopefully that last paragraph upset you and you started thinking I was a jerk. In actuality, it really is the only way to curb SPAM but I would never want to see it become reality. Unfortunately, there must be profitability in SPAM or SPAMMERS would cease and desist on their own. What we are subject to is one of the downsides of an increasingly interconnected world. If you think this is bad, stick around another 10 years and see how much worse it will become. And for SPAMMERs, they see benefit in what the rest of us see as a nuisance. One man's ceiling is another man's floor.

Absolutely
Absolutely

http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=253776&messageID=2427966 Guesses as to the feasibility, likely effectiveness, marketability are especially welcomed. I'm particularly interested in your input because of [i]As an IT executive, I'm surprised you don't understand the underlying cost of spam...At least you can tell the post office not to put junk mail in your mailbox (in Canada, anyway). Spammers don't give you that choice.[/i] That is exactly my view.

apotheon
apotheon

1. Phishing websites (and most of those [b]are[/b] phishing websites) are not legitimate websites. They're other people's websites, hijacked. 2. Having done some spam- and phishing-related security research myself, I can tell you that by the time one receives those emails the websites are usually gone. It only takes a few hundred people entering credit card numbers or otherwise disclosing information (even if it's only information to the effect of "I'm gullible, send me more spam!") for it to be worthwhile to the phishers and spammers of the world.

Absolutely
Absolutely

[i]But, I haven't been able to exchange email with my daughter since our ISP put in a new system for blocking email. We're forced to use the phone.[/i] Of course, there are worse things than talking to family on the phone, but you [u]should[/u] be able to send e-mail! Have you tried Gmail? It might help in the short term. In the long term, have you considered Linux? Two programs, fetchmail & procmail, are pretty darn easy to set up to do just what you described. [i]I think all the ideas about spamming and security are right, but will it ever come to pass. In the mean time, I'd like to have an inbox where I could sift thru and get the ones I want and have the rest automatically rejected. And, automatically rejected if they come again under the same address. Then, the choice is mine, not some program. They can still use filtering to eliminate the more obvious and well know stuff.[/i] What you do is create a text file, which has a line for each sender you want to not delete. Those, you either send to a particular folder, or to the 'maildrop' program to be delivered to a standard e-mail client [Outlook, Pine, Thunderbird, whatever you have lying around]. http://blogs.techrepublic.com.com/opensource/?p=145&tag=nl.e138 http://blogs.techrepublic.com.com/opensource/?p=148&tag=nl.e550 http://wiki.archlinux.org/index.php/Email_Server_with_Courier_fetchmail_procmail [i]Get serious, how can you regulate a Russian or Philipino spammer.[/i] With encrypted authentication, I can make it [u]extremely[/u] difficult for either of them to dupe a mail server to believing they're legitimate contacts whose messages should be allowed to pollute my property.

Justin James
Justin James

"What if Microsoft did what most *nix systems do; force everyone to use a normal user account most of the time, and require them to become promote to "super users" or to gain "root" privileges only when system level changes need to be made?" Vista does this. In fact, it does it in a mechanism that many beleive is more effective than the sudo mechanism that many Linux' employ as their system for this, like Ubuntu. J.Ja

TechRepublic
TechRepublic

If the spammers don't get PAID for their efforts, there will be enormously less of it. Go after the businesses that pay the spammers. Hard!

PhilippeV
PhilippeV

currently, the DNS servers are just providing data that gets distributed to many other slave DNS servers in their caches. However, DNS servers should be able to collect and aggregate statistic data at the same time about the usage of a domain name. This would help detecting the sudden surge in use of a domain name (that we previously stale) caused by spamvertized contents. This should involved the whole chain in the DNS system, including the "root" DNS servers. publishing the usage statistics should be performed by most major ISPs when their own DNS caches are retrieving information about any domain they don't have in their cache. This would allow tracing the effective points of infection or spamvertized contents, by just following the aggregated statistics. Similar thing should be done about the use of IP ranges: this can be implemented as part of the Gateway-to-gateway routing protocols, or via the IP routing announcement feeds (that shoulds also have a return path for those statistics). Genrally, when following these stats, you would finally find a convergence hotspot at a precise ASN. If this ASN is identified, we know who controls the network, and the upstream routing providers can investigate and sample the traffic to see the amount of spew in it. Resolution of infections would be faster if we could more easily locate these point of injections. As you see, there's no single solution. The fight against spam must bedone on every part of the internet and protocols that spamemrs ned to deliver their spew or to host their spamvertized sites. Isolating the fight only to the SMTP protocol itself is illusory.

PhilippeV
PhilippeV

This is also more complicate than what it appears. The truth is that people, after some long enough use of the Internet, can't really remamber the fact that they have actively subscribed to online services, or with whom they've discussed; many are reporting spams despite they have authorized the use of their email address. Whitelists will not help them, as they can also clean it completely or loose their settings at any time, until they are completely unable to determine that what they receive is spam or not (for some part of the emails, it's very easy to see that this is spam, but there will still be lots of stuff sent by organizations with whom they traded in the past, and not only on the internet). So, yes, people are "buying" things from the spams. But many more are just following the link to see what it looks like an interesting offer. Even if they don't buy anything actively, the simple fact of opening the email to read it (including remote images), or following the link will generate traffic on some remove website that is used to collect advertizing fees. One way to stop this would be to stop completely those banner exchange services. Buying advertizing spaces on the web should require an explicit agreement between the advertizer and the web site author, not just the subscription to some banner exchange or ads exchange services. For example, put GoogleAds out of service, it is more harmful than helpful, including for legitimate advertizers, because there's no contrat between the effective advertizers and the website designers, and it generate revenues for spammers sending links to their many spamvertized websites. Another thing to investigate: why spammers are creating so many domain names using redirects or domain name aliases? Creating domain name aliases should be much more costly. This would limit the proliferation of random websites referenced in the content of their spew. Reducing dramatically the number of spamvertized targets would help locating the offenders much more easily and would increase the efficiency of filters. The same should be done by increasing a lot the cost for hosting its own DNS server, or having it supported as a subdomain of some ISP. There's no reason that we continue tolerating the proliferation of DNS servers where spammers can host as many domains as they want. We need a reputation system for DNS servers (because for almost all users, this information is completely invisible to them, and out of their control as they just see a domain name which indicates really nothing). Note that spammers are still profiting a lot from the fact that buying a new domain name does not cost them a lot (but requiring the increase of cost per domain is unacceptable). Change this by increasing the charges for hosting a private DNS server connected to the internet, and in contrast, have ISPs reduce the cost for hosting a domain on their own, better-managed, DNS servers.

JCitizen
JCitizen

No wonder I see so many people calling for the death penalty to spammers! They were serious too; perhaps! Why can't we get news like this on TR? I wouldn't think it would be possible to confirm - surely Pravda or Novaya Gazeta has mentioned these stories.

seanferd
seanferd

That was just you being PO'd? The Nemesis of spammers. I like the idea!

seanferd
seanferd

for ISP e-mail and internet accounts. SSL connection, but not secure authentication? Why? It just seems plain stupid.

Absolutely
Absolutely

Even that is just reducing the odds, but reducing them enough to render 90% of successes impossible would eliminate 100% of the motive to use computers for scams, at least the type that have been common lately. IPv6 by itself can only provide a marginal advantage because it can easily be faked. A good encryption key is a whole different ball of wax.

JCitizen
JCitizen

these IP address I see in the header information are actually from the ISP of the offending spam bot server. If one could gain this information I still see limited use; as I can't get court action on people who attack my firewall from my ISP unless I can prove they are up to mischief. I would think the same thing would happen if you knew not only who the ISP was but who the bot host was. Pretty worthless - legally that is.

Absolutely
Absolutely

http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=251095&messageID=2408871 [i]However I don't know what to make of the poster who suggested IPv6 static addressing and how that would make a difference. I suppose this whould just shift the problem "up river" so to speak.[/i] IPv6, as I understand it, is just a larger address space than IPv4. Unless it also includes something I don't know about, which would prevent IP forgery and sender forgery, it won't really do much.

JCitizen
JCitizen

but I didn't like the thought of sending email out automatically to anyone not on my address list. From comments I have read here there is plenty of logic showing how this is bad. It is good discussion. However I don't know what to make of the poster who suggested IPv6 static addressing and how that would make a difference. I suppose this whould just shift the problem "up river" so to speak.

apotheon
apotheon

"[i] It would be nice if postini and other filters simply... let users block certain words from subject lines and sender names. That alone would clear almost all junk I have left on Outlook 2003.[/i]" It's unfortunate you're using MS Windows. There are many and varied options for doing exactly that on Unix-like systems. The first that comes to mind is procmail. Even mail user agents like mutt come with such functionality.

Absolutely
Absolutely

Bulk mail does [u]not[/u] cost $0.41 / piece. I don't know the exact discount, but third class/media rate vs. first class rate for books & CDs should give a decent approximation. As I vaguely recall, bulk mail is less than half the price, per piece, of first-class letters.

JCitizen
JCitizen

I got a feeling that type of suggestion/demand would fall on deaf ears at my ISP because they sell postini and that would cut into their money pit. I will try it anyway.

apotheon
apotheon

Demand encrypted authentication for email from your service provider(s). Recommend they help others use encrypted authentication as well.

apotheon
apotheon

That's a lot more reasonable.

JCitizen
JCitizen

I am surprised there isn't more serious discussion about this subject here, as it was one of the most serious subjects at almost every one of my IT meetings with our CIO. I can't remember what we used to police spam on our exchange server, but it worked pretty well for 2005. Now I doubt it would work at all. Thank God that contract is over!

Absolutely
Absolutely

JCitizen: [i]Seems like the worst offenders I know leave their gigabit net service on 24/7 and they hardly actually get on the unit at all. Those being desktop "abusers".[/i] If you asked me to pull a number out of the ether, I'd guess that the X-Originating-IP of at least 99% of spam is a desktop in somebody's home, with a broadband connection. Since mail retrieval to desktop clients rarely use encryption, establishing connections to the ISPs' smtp services is trivial, and that's where my problem begins with the general idea of ISPs shutting off ... anything. They know that end users will pretty much use what's provided to us, as-is, meaning Outlook Express and unencrypted smtp and pop3 or imap. Spam bots can't send outgoing messages without those passwords, and can only get them so easily because they're not required [u]by the ISP[/u] to be encrypted. Blocking any port is assuming a network administrator role over home networks which are not the property of any ISP. If they want to play sysadmin, they may start by taking reasonable first steps to make communications with their servers secure. Until they do that, I will not be able to take seriously the idea that home users' responsibility for SPAM is greater than our ISPs' responsibility for same.

JCitizen
JCitizen

in my fantasy scenario of only blocking SMTP from abusers only. I was trying to get a feeling about who anyone thought the main load for spamming came from; desktop or server. Seems like the worst offenders I know leave their gigabit net service on 24/7 and they hardly actually get on the unit at all. Those being desktop "abusers".

JCitizen
JCitizen

my questions anyway. My fantasy gateway/switch would block all SMTP from selected IPs known for abuse. But the code word here is "fantasy". I appologize for sounding like I was for blocking ALL such traffic behind any ISP.

Absolutely
Absolutely

Like apotheon said, there are legitimate reasons to run a mail server, and all customers shouldn't be punished with diminished options for the mistakes of a few, or of a very large minority, or even a majority of customers, if that's the case. ISP's could notify customers by e-mail or phone that their computers are behaving like spam bots, but just blocking port 25 outright would be exceeding their purview.

apotheon
apotheon

I'm not a fan of ISPs blocking all SMTP traffic. Some people like to run their own mail servers, after all -- for entirely legitimate reasons.

JCitizen
JCitizen

clueless desktop users and not clueless servers operators? Would blocking SMTP from everyone but registered servers within the ISP do any good? Even then, this might initiate protest from those that like P2P as they would think they were next.

Ambercroft
Ambercroft

My spam analysis prgm has shown that my spam is coming from all over, ( IP and e-mail check ) but the URLs end up at relatively few locations ( approx 16% ). Only one of the last hundred had a deactivated site.

keshin
keshin

The real way to stop spam is to have ICANN enforce the rules for registrars which require each domain registrant to be accurate on their application for a domain name. Check out www.knujon.com for an alternative to all the proposed solutions that actual works.

Tony Hopkinson
Tony Hopkinson

for UAC, if you aren't running as admin.. Not a big MS fan, but we are never going to get anywhere while people log on as admin and click OK. Ubuntu's does require a password, however, it's the users, which also strikes me as less than perfect. You can set Ubuntu up properly though. Just for completeness.

JCitizen
JCitizen

thought it meant "psuedo" :)

cacycleworks
cacycleworks

If we're talking about the annoying popups in vista (or any windows), that doesn't work either. windows is so overrun by nag-dialogs that we're all trained to simply hit enter or click OK without actually reading the message. I believe that limiting the dialogs to ones that actually matter still won't work for long term windows users due to how well "trained" they (and formerly I) are at killing the nag boxes to maintain productivity. In this regard, it's my opinion that linux is a far better desktop OS. Less susceptible to windows malware/etc but also much more productive. I've got a dozen or so KDE macros set up for e-mailing which almost doubled my proficiency. Also, linux nag dialogs for privileged operations require a password to be typed in, causing the brain to snap out of its existing train of thought and focus on what the nag box is trying to say. :) chris

apotheon
apotheon

"[i]Vista does this.[/i]" It [b]sorta[/b] does this. As long as the underlying system architecture doesn't implement complete privilege separation, however, and allow reasonable software activity without having to escalate privileges while preventing that software from automatically escalating privileges for actual system-level tasks, the effectiveness of Microsoft's attempts to provide explicit admin access as a security measure will always be iffy at best. "[i]In fact, it does it in a mechanism that many beleive is more effective than the sudo mechanism that many Linux' employ as their system for this, like Ubuntu.[/i]" People believe all kinds of crazy things.

Absolutely
Absolutely

[i]What about in the oil?[/i] I hope you get this warning in time: sugar does not belong in any part of your car, other than maybe the passenger area. Any damage it does to your car from there will at least be non-catastrophic.

Ambercroft
Ambercroft

Yike after ruining five cars, now I find out sugar isn't good in the gas tank. What about in the oil?

Justin James
Justin James

People really, earnestly want to beleive that because there are literally no moving parts in a PC (which is merely a perception, it does have a few moving parts) that it does not require regular maintenance. As we all know, this simply is not true. Even with an OS set to perform automatic updates, a file system that does not need defragging, and so on, there is still always maintenance to be performed. It's amazing that people will bring a $500 beat up car to get a $25 oil change every few months, but won't spent a cent or a minute to maintain their PC. If people treated their cars like they treated their PCs, no car manufacturer could make a profit on a car they sold with a warranty on it, the rate of return would be too high. And, of course, too many people are telling PC owners to put sugar in their gas tank. Oh, PC is running slow? Don't check for malware, just defrag the disk! J.Ja

apotheon
apotheon

You're too kind. I trust you'll let me know if I'm falling down on the job.

Absolutely
Absolutely

I was talking about the sound-bite crap directed to end-users, not the cream of the crop of sources for IT Professionals. Sorry.

apotheon
apotheon

I'm here to tell you that you shouldn't put sugar in your gas tank.

Absolutely
Absolutely

PhilippeV: [i]Whitelists will not help them, as they can also clean it completely or loose their settings at any time, until they are completely unable to determine that what they receive is spam or not (for some part of the emails, it's very easy to see that this is spam, but there will still be lots of stuff sent by organizations with whom they traded in the past, and not only on the internet).[/i] People -- Millions, or Billions of us -- keep our automobiles tuned sufficiently to function for many years. There are horridly neglected computers and automobiles, but at least in the latter case, I can look on the road and see, beyond a doubt, that those are anomalies. The computer would not be useful if every user needed to be expert in all its operations, just as automobiles would not be useful if everybody had to become an expert mechanic to be a driver. If the average driver got auto maintenance advice on par with what the computer industry spews, we'd all be putting sugar in our gas tanks and replacing our oil with molasses.